Introduction to (profiled) side-channel analysis Annelie Heuser In - PowerPoint PPT Presentation

Introduction to (profiled) side-channel analysis Annelie Heuser

In this talk… • … back to the basics!! • details on power / EM leakage (low/high noise scenario) • how/where to attack AES? • di ff erent attacker models • overview of side-channel distinguishers • details on template attack and stochastic approach • side-channel evaluation metrics • ….

Side-channel analysis cryptography Alice Bob Side-channel information secret key / 
 sensitive data Time Sound electromagnetic emanation

Side-channel analysis Invasive hardware attacks, proceeding in two steps: 1) During cryptographic operations capture additional side-channel information • power consumption/ electromagnetic emanation • timing • noise, … Side- 2) Side-channel distinguisher to channel Input reveal the secret distinguisher

Side-channel attacks • …are real in practice • Beginning 2016: FBI asks Apple to bypass their encryption • Handful methods to break into the encrypted iPhone ๏ software bugs ๏ side-channel attacks ๏ glitch attack ๏ invasive attacks Documents released by Snowden: NSA is studying the use of side-channel attacks to break into iPhones

Side-channel attacks • …are real in practice • attacking Philips Hue smart lamps • side-channel attack revealed the global AES-CCM key used to encrypt and verify firmware updates • insert malicious update: lamps infect each other with a worm Paper: Eyal Ronen et al, IoT Goes that has the potential to Nuclear: Creating a ZigBee Chain control the device Reaction

Observable leakage • In this talk: Power/EM as leakage source • register writing, loading / storing, computations • bytes, bits, nibbles, … (also architecture dependent) • coarse grained model: Hamming weight/distance model • fine grained model: intermediate states / key values

Side-channel targets • Symmetric block ciphers • Asymmetric block ciphers • Signatures • Post-quantum schemes • hash-based message authentication code (HMAC) • …

Symmetric key crypto • input: plaintext • output: ciphertext • secret key used for encryption and decryption • block ciphers: AES, lightweight ciphers: PRESENT • with side-channel information able to reveal secret key

AES • plaintext/ciphertext: 
 128-bit • secret key: 128, 192, 256 bits with 10/12/14 rounds • each round distinct round key

Side-channel attacks on AES • secret key: 128, 192, 256 bits (infeasible to iterate on) • side-channel attacks use divide-and-conquer • attack each byte independently • 256 key guesses, iteration easily possible • on embedded devices typically operating/processing on bytes • key byte information are mixed using MixColumns operation => attack before! • Typically first round or last round…

SCA on AES (first round) label: SECRET

SBox and key guesses • Toy example: • 6 plaintext bytes = [ 24 1 230 50 10 155]; • 3 key guesses = [ 1 2 3 ];

SCA on AES (last round) label: or

Dataset 1 • Low noise dataset - DPA contest v4 (publicly available) • Atmel ATMega-163 smart card connected to a SASEBO-W board • AES-256 RSM 
 (Rotating SBox Masking) • In this talk: 
 mask assumed known • used in this talk: 
 1 000 000

Traces • Trace length regarding one S-box operation: 3000

Traces • Trace length regarding one S-box operation: 3000

Leakage • Attack first round • Correlation between HW of the Sbox output and traces

Observable leakage • HWs of the Sbox output are easily distinguishable • Indications that the HW model not precise

Observable leakage • Densities according to the Sbox output

Observable leakage • Hamming weight grouping over time

Dataset 2 • High noise dataset (still unprotected!) • AES-128 core was written in VHDL in a round based architecture (11 clock cycles for each encryption). • The design was implemented on Xilinx Virtex-5 FPGA of a SASEBO GII evaluation board. • used in this talk: 1 000 000 • publicly available on github: 
 https://github.com/AESHD/AES HD Dataset

Traces • Complete trace length: 1250 • Trace length regarding one S-box operation: approx 150

Traces • Complete trace length: 1250 • Trace length regarding one S-box operation: approx 150

Leakage • Correlation between HD of the Sbox output (last round) and traces

Observable leakage • High noise scenario: densities of HWs

Observable leakage • High noise scenario: 256 classes

Attacker models • un-profiled: 
 attacker only has access to the device under attack • weakest attacker, but more “robust" ATTACKING traces classification algorithm hypothetical labels secret

Attacker models • profiled (traditional view): 
 attacker processes two devices - profiling and attacking • stronger attacker, but with more pitfalls…

Side-channel attacks • Profiled: • Unprofiled: • Template attack • Di ff erence-of-means • Stochastic approach • Correlation Power Analysis (CPA) • Machine learning • Linear regression techniques Analysis • Deep learning • Deep learning techniques techniques (supervised)

Unprofiled SCA # samples Traces Labels # points # key guesses # key guesses Output # points

CPA ρ ( , ) Traces Labels # key guesses Output # points

CPA • Dataset 1: Labels = output of the S-Box in the first round

Profiled side-channel • Profiling phase: • classification (Template attack, SVM, RF , Deep learning) • regression (Stochastic approach) • Attacking phase: • maximum likelihood principle

Profiled SCA • Profiling phase: building model La # samples Traces be ls # points key MODEL Algorithm

Profiled SCA • For each trace in the attacking phase, get the probability that the trace belongs to a certain class label Trace Algorithm Probability MODEL

Profiled SCA • Maximum likelihood principle to calculate that a set of traces belongs to a certain key } Trace Probabilities Probabilities Trace Probabilities Probabilities Trace key ranking … Trace Probabilities # key guesses

Template attack • first profiled attack • optimal from an information theoretical point of view • may not be optimal in practice MODEL Algorithm Density estimation densities • often works with the pre-assumption that the noise is normal distributed • advantage of being easier to estimate: 
 mean and covariances for each class label • pooled version

Template attack • Dataset 1: low noise • Assumption of normal distribution multivariate: means and covariances over a set of points

Template attack • Dataset 2: high noise

Stochastic Approach • uses regression instead of classification • estimate a function that models the leakage • constructive: may provide detailed feedback about leakage “source” MODEL Algorithm regression coe ffi cients/ 
 Linear regression beta-coe ffi cients

Stochastic Approach • Regressors/ “basis (functions)” for linear regression: • 9-dimensional basis: const + bits • 37-dimensional basis: const + bits + prod 2 bits • 92-dimensional basis: const + bits + prod 2 bits + prod 3 bits • … • 256-dimensional basis: const + bits + prod 2 bits + prod 3 bits + prod 4 bit + prod 5 bit + prod 6 bit + … + prod 8 bit

Stochastic Approach • Dataset 1: low noise • Basis: 9-dimensional

Stochastic Approach • Dataset 1: low noise • 9-dim basis, zoom in

Stochastic Approach • Dataset 1: low noise • 9-dim basis, zoom in

Stochastic Approach • Dataset 1: low noise • 37-dim basis, zoom in

Stochastic Approach • Dataset 2: high noise

Stochastic Approach • Dataset 2: high noise • zoom in

Constructiveness? Michael Kasper, Werner Schindler, Marc Stöttinger: 
 A stochastic method for security evaluation of cryptographic FPGA implementations. FPT 2010: 146-153

Success rate • Success rate: average estimated probability of success • empirically: using measurements/ simulations • theoretically: using closed-form expressions 
 • For CPA and template attack the theoretical success rate depends on 3 factors • number of measurements • signal-to-noise ratio • confusion coe ffi cient Yunsi Fei, Qiasi Luo, A. Adam Ding: 
 A Statistical Model for DPA with Novel Algorithmic Confusion Analysis. CHES 2012: 233-250

Confusion Coefficient • Interestingly, predictions for di ff erent key guesses are not independent • Confusion coe ffi cient describes the relationship • (simplified) metric: the lower the minimum confusion coe ffi cient (over all keys) the higher the side-channel resistance Sylvain Guilley, Annelie Heuser, Olivier Rioul: 
 A Key to Success - Success Exponents for Side-Channel Distinguishers. INDOCRYPT 2015: 270-290

SBoxes • SBoxes with optimal cryptographic properties 4-bit S-boxes • KLEIN • Midori (1/2) • Mysterion 8-bit S-boxes • Piccolo • AES • PRESENT / LED • Robin • Pride • Zorro • PRINCE • Rectangle A Heuser, S Picek, S Guilley, N Mentens • Skinny Lightweight ciphers and their side-channel resilience, IEEE Transactions on Computers